I’m fairly new at nginx configuration and my team has asked me to set up a web-facing Gitea cloud server.
I configured ufw to allow www (http, https), ssh, by default refuse all incoming connections and allow all outgoing connections. I did NOT add port 3000, so while formerly http://my-server.mydomain.com:3000 was working (proving that Gitea install worked and the app was running), this URL was properly refused only when I enabled ufw.
The URL https : // my-server . mydomain . com is throwing a 404 (not found).
Any idea how I can get my Gitea properly responding via https?
Here’s the contents of my file /etc/nginx/sites-enabled/gitea (since certbot added its content to /etc/nginx/sites-enabled/default and Gitea added its content to /etc/nginx/sites-enabled/gitea, I tried to merge the two and removed default from my enabled sites. Obviously I missed something ) :
upstream gitea {
server localhost:3000;
}
server {
# SSL configuration
#
root /var/lib/gitea/public;
# Add index.php to the list if you are using PHP
#index index.html index.htm index.nginx-debian.html;
server_name my-server; # managed by Certbot
access_log on;
error_log on;
location / {
# First attempt to serve request as file,
# then redirect to gitea, then fall back to displaying a 404.
# try_files maintain.html $uri $uri/index.html @node $uri/ =404;
try_files maintain.html $uri $uri/index.html @node =404;
}
location @node {
client_max_body_size 0;
proxy_pass http://localhost:3000;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_max_temp_file_size 0;
proxy_redirect off;
proxy_read_timeout 120;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/my-server.mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my-server.mydomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = my-server.mydomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
access_log on;
error_log on;
listen 80 ;
listen [::]:80 ;
server_name my-server.mydomain.com;
return 404; # managed by Certbot
}
Here’s the contents of my file /etc/gitea/app.ini :
Ok, nailed it. I think it might help others to post my solution :
Contents of the nginx gitea configuration file :
upstream gitea {
server localhost:3000;
}
server {
# SSL configuration
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
root /var/lib/gitea/public;
# Add index.php to the list if you are using PHP
#index index.html index.htm index.nginx-debian.html;
server_name my-server.mydomain.com; # managed by Certbot
access_log /var/log/nginx/gitea_access.log;
error_log /var/log/nginx/gitea_error.log;
location / {
client_max_body_size 900M;
proxy_pass http://localhost:3000;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_max_temp_file_size 0;
proxy_read_timeout 120;
}
#ssl_session_cache shared:SSL:10m;
#ssl_session_timeout 10m;
#keepalive_timeout 70;
ssl_certificate /etc/letsencrypt/live/my-server.mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my-server.mydomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = my-server.mydomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
access_log /var/log/nginx/gitea_access.log;
error_log /var/log/nginx/gitea_error.log;
listen 80 ;
listen [::]:80 ;
server_name my-server.mydomain.com;
return 404; # managed by Certbot
}
Contents of the Gitea app.ini file [server] block (which was the only one that I had to change to make basic access work). Also, there were a few deprecated keys in my original post so I updated these as well :
Final update. I reworked the configuration to allow Gitea to run internally on http : //localhost : 3000 while exposing it to the world using https : //my-server . mydomain.com (which automatically redirects to https : //my-server . mydomain . com / gitea):
NGINX configuration
upstream gitea {
server localhost:3000;
}
server {
# SSL configuration
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
root /var/lib/gitea/public;
# Add index.php to the list if you are using PHP
#index index.html index.htm index.nginx-debian.html;
server_name my-server.mydomain.com; # managed by Certbot
access_log /var/log/nginx/gitea_access.log;
error_log /var/log/nginx/gitea_error.log;
# Check if the request is for /gitea/, if not, redirect to /gitea/
# The 308 (Permanent redirect) will ensure the same HTTP verb
# (GET, POST, etc) will be used when the URL is redirected.
if ($request_uri !~ ^/gitea/) {
return 308 https://$host/gitea$request_uri;
}
location /gitea/ {
client_max_body_size 900M;
proxy_pass http://gitea/; # Ensure the trailing slash is present
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_max_temp_file_size 0;
proxy_read_timeout 120;
proxy_redirect off;
proxy_set_header X-Script-Name /gitea;
}
# This block will handle the static assets which are not found in the root directory
location ~* ^/gitea/(css|js|fonts|img|less|vendor)/ {
proxy_pass http://localhost:3000; # Ensure no trailing slash
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_max_temp_file_size 0;
proxy_read_timeout 120;
proxy_redirect off;
proxy_set_header X-Script-Name /gitea;
}
ssl_certificate /etc/letsencrypt/live/my-server.mydomain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my-server.mydomain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = my-server.mydomain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
access_log /var/log/nginx/gitea_access.log;
error_log /var/log/nginx/gitea_error.log;
listen 80 ;
listen [::]:80 ;
server_name my-server.mydomain.com;
return 404; # managed by Certbot
}